Re: GPL-licensed software linked against libssl on buildds!
On 20/01/10 at 09:30 +0100, Stefano Zacchiroli wrote:
> On Tue, Jan 19, 2010 at 03:40:22PM -0800, Russ Allbery wrote:
> > Because we want our users to be able to patch and rebuild our software to
> > suit their needs. Asking them to set up a chroot build environment is
> > asking quite a lot.
> AOL. Yesterday night I drafted a reply (which has lingered in my Draft
> box) and was almost word-by-word identical to this.
> In parallel to this, we should probably make easier than now to rebuild
> packages properly for our users (sysadms are not necessarily packagers),
> and that is proceeding quite well with recent schroot improvements, if
> you ask me.
What's the problem with documentation such as
https://wiki.ubuntu.com/PbuilderHowto (except it's an Ubuntu
documentation)? I think that the process of building with pbuilder is
reasonably well documented.
> On Tue, Jan 19, 2010 at 04:36:36PM -0800, Russ Allbery wrote:
> > > There are two ways to attack that problem:
> > > (1) We decide that we want to provide the guarantee that packages build
> > > the correct way in unclean envs. That mean making such bugs RC,
> > > basically, and making efforts to find such bugs.
> > > (2) We decide that it would be nice if packages don't do too crazy
> > > things when built in unclean envs, but provide no guarantee, and
> > > recommend the use of pbuilder and schroot + tarballs/lvm when people
> > > need guarantees.
> I don't understand why you insist on this aut-aut. Ideally, your (1) is
> the right one, but as of know it is (still?) hard to pursue, we put it
> as an ideal goal and we proceed towards it. Bugs in package should be
> filed (especially in the original case of this thread: heck, they
> resulted in two incompatible licenses linked together!), they are not
> RC, but they are still bugs. The day we will have a suitable / sure way
> to identify this bug in the first place, we will start enforcing it.
> On the same line, this whole issue is one of the reason why we have
> relationships like Build-Conflicts. Why having a non-declared
> Build-Conflicts shouldn't be a bug?
Feel free to start filing bugs. A good start would be the list of source
packages from 2008 that probably have a missing build-conflict, since
they produced different binary packages (according to debdiff) in an
unclean chroot. (that list contains some false positives)
| Lucas Nussbaum
| email@example.com http://www.lucas-nussbaum.net/ |
| jabber: firstname.lastname@example.org GPG: 1024D/023B3F4F |